Tuesday, January 10, 2012

Trendnet Cameras - I always feel like somebody's watching me.

Now that we got that out of the way... I have been seeing posts on sites with people having fun with embedded systems/devices and I was feeling left out. I didn't really want to go out and buy a device so I looked at what was laying around.

First order of business was to update the camera with the most recent firmware:

Device info page confirming firmware version

Now that the device was using the same version of firmware as I was going to dive into, lets get to work. I will be using binwalk to fingerprint file headers that exist inside the firmware file. Binwalk can be downloaded from the following url: http://code.google.com/p/binwalk/

There is all sorts of interesting stuff in the "/server" directory but we are going to zero in on a specific directory "/server/cgi-bin/anony/"

#cd server/cgi-bin/anony/#lsjpgview.htm mjpeg.cgi mjpg.cgi view2.cgi

The "cgi-bin" directory is mapped to the root directory of http server of the camera, knowing this we can make a request to http://192.168.1.17/anony/mjpg.cgi and surprisingly we get a live stream from the camera.

video stream. giving no fucks.

Now at first I am thinking, well the directory is named "anony" that means anonymous so this must be something that is enabled in the settings that we can disable.... Looking at the configuration screen you can see where users can be configured to access the camera. The following screen shows the users I have configured (user, guest)

Users configured with passwords.

Still after setting up users with passwords the camera is more than happy to let me view its video stream by making our previous request. There does not appear to be a way to disable access to the video stream, I can't really believe this is something that is intended by the manufacturer. Lets see who is out there :)

Because the web server requires authentication to access it (normally) we can use this information to fingerprint the camera easily. We can use the realm of 'netcam' to conduct our searches

HTTP Auth with 'netcam' realm

Hopping on over to Shodan (http://www.shodanhq.com) we can search for 'netcam' and see if there is anyone out there for us to watch

9,500 results

If we check a few we can see this is limited to only those results with the realm of 'netcam' and not 'Netcam'

This python script requires the shodan api libs http://docs.shodanhq.com/ and an API key. It will crawl the shodan results and check if the device is vulnerable and log it. The only caveat here is that the shodan api.py file needs to be edited to allow for including result page offsets. I have highlighted the required changes below.

34 comments:

http://www.geenstijl.nl/.Holland's mosty favorite website has a topic on these webcams and even a link to this blog!.That'll generate a bunch of visitors today for ya!All da best in 2012 for ya,kski from:www.koenski-beterweter.blogspot.com.

Anyone have any idea which Trendnet cameras are effected by this? Clearly the ip110w is, but some of the cameras I've seen that are vulnerable have night vision and I know the ip110 and ip110w do not have night vision. Just wondering which ones this will work with.

DISCONTINUED PRODUCTThe TV-IP110W (Version A1.0R) has been discontinued. It has been replaced by the TV-IP110WN (Version v1.0R). For a list of discontinued products, click here.From page of TRENDnet:(!So they stopped to produce them:(!

ALL the netcams from Trendnet are vulnerable (and I suspect a slew of other from different manufacturers).I have one that isn't listed here and it is vulnerable to the auth bypass.I have contacted their customer support (and I suggest you do the same) but they aren't really proactive in solving the issue with a firmware upgrade.If only we could just flash the original firmware with OpenWRT or something different that would give us full control on the camera features...

It is starting to look like all trendnet cameras are vulnerable, they have updated their downloads page with critical updates that "improve security" for the following cameras: TV-IP121WTV-IP252PTV-IP410WNTV-IP410TV-IP121WNTV-IP110WNTV-IP110W

We have done the cover of the national newspaper in Buenos Aires about this issue http://translate.google.com/translate?sl=es&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fwww.pagina12.com.ar%2Fdiario%2Fcdigital%2F31-188001-2012-02-21.html

it was very interresting you found out with the firmware. We have tested it on several other IPcameras but got no access. We would like to hire you for testing the firmware of one of our new products.If you do have interrests please call me at:+49 2131 36685676HMay

Thanks. I upgraded to the 1.1.1.105 firmware and the issue is gone. Unfortunately, so is the 1.1.0.104 firmware from your download link (Trendnet website). Could you provide a link to it? Reason: I run binwalk on 105, cut with dd, and mounted the minix fs. Bytecounts are exactly the same as for 104! The anon dir is still there - it just needs a password now. I would love to run a diff and see what they changed.

can someone give me a summary on how to use the script, im new to codes. Am I suppose to open the script with notepad? and save it as htm? because with binwalk, shodan documentary are all scripts and how am i suppose to use them

I am very enjoyed for this blog. I feel strongly about it and love learning more on this topic. If possible, as you gain expertise, would you mind updating your blog with more information? It is extremely helpful for meAlarm Monitoring